Powershell: Get SHA256 Thumbprint from vCenter server using Powershell Core. (NSX-T Compute Manager Registration related)

Summary:
Had a need to pull a target vCenter's SSL certificate and convert it's thumbprint to SHA256 format to register to NSX-T Manager using Powershell core.  Servicepoint was not available in Core.

Noticed also recently Lam updated his approach to take Core into account.  My approach is slightly different and my script will also return the certificate object back if you so choose rather than just the SHA256 value.  Anyway, I've tested in PS Core 6.0.4 and 6.1 on Ubuntu, CentOS, and MacOS and my function seems to work fine.  Let me know if you see otherwise.

GIST below:
Function Get-SSLCert{
[CmdletBinding()]
<#
.SYNOPSIS
Gets SSL certificate of remote system.
.DESCRIPTION
Gets SSL certificate of remote system in order to get it's thumbprint.
.EXAMPLE
Get-SSLCert tech.zsoldier.com
Returns the certificate as object.
.EXAMPLE
Get-SSLCert tech.zsoldier.com -SHA256Thumbprint
This will simply output the certificates thumbprint as SHA256 format replacing "-" with ":".
Made to enable capturing a vCenter certificate's thumbprint in SHA256 format to register in NSX-T as a compute manager.
.PARAMETER SHA256Thumbprint
Captures certificate and outputs SHA256 formatted thumbprint. Defaults to false.
.PARAMETER URI
Required string value can be DNS or IP Address.
.PARAMETER Port
Define the port to connect to. 443 is default, can be modified to match endpoints actual port for SSL communications.
Port 636 is met w/ mixed results, unsure why this has issues. Try using 3389 instead to get cert.
.PARAMETER DownloadCert
Downloads the target's cert to current path.
.NOTES
Authored by: K. Chris Nakagaki
https://tech.zsoldier.com
#>
param (
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty]
[string]
$URI,
[Parameter(Mandatory=$false)]
[switch]
$SHA256Thumbprint=$false,
[int]
$Port = 443,
[switch]
$DownloadCert
)
$Certificate = $null
$TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
try
{
$TcpClient.Connect($URI, $Port)
$TcpStream = $TcpClient.GetStream()
$Callback = { param($sender, $cert, $chain, $errors) return $true }
$SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback)
try
{
$SslStream.AuthenticateAsClient($URI)
$Certificate = $SslStream.RemoteCertificate
}
finally
{
$SslStream.Dispose()
}
}
finally
{
$TcpClient.Dispose()
}
if ($Certificate) {
if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
$Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate
}
$SHA256 = [Security.Cryptography.SHA256]::Create()
$Bytes = $Certificate.GetRawCertData()
$HASH = $SHA256.ComputeHash($Bytes)
$thumbprint = [BitConverter]::ToString($HASH).Replace('-',':')
Switch ($SHA256Thumbprint)
{
$false
{
Write-Output $Certificate
}
$true
{
Write-Output $thumbprint
}
}
Switch ($DownloadCert)
{
$false
{
Write-Output $Certificate
}
$true
{
$randomnum = Get-Random
$subjectname = $Certificate.subject.replace("C=","").replace("CN=","").replace(",","")
$randomfilename = ($subjectname + $randomnum + ".cer")
$directory = (Get-Location).path
[System.IO.File]::WriteAllBytes(($directory + "/" + $randomfilename),$Certificate.RawData)
}
}
}
}
view raw Get-SSLCert.ps1 hosted with ❤ by GitHub

Comments

Unknown said…
Hi Chris,

I am in a learning curve of PowerShell, if you don't mine can you please walk me through how to use this script.


Thanks for understanding.


Zsoldier said…
Sure thing. To use it is quite simple. From a PowerShell window, you can simply copy all the text on this page and paste into that PowerShell window. Once you do that, you can now call that function by typing “Get-SSLCert google.com” without the quotes. That’s one way to use it. Other ways are by simply saving the code above into a ps1 file (literally a text document with a .ps1 extension instead of a .txt) and using import-module nameofps1file.ps1.
JC said…
Thanks for posting this, it's exactly what I needed.

Popular posts from this blog

VMware | AVS: Content Library or Non vCenter objects on VSAN produces unassociated but valid objects

NSX-T: Release associated invalid node ID from certificate

iOS: Sleep Focus activating on wrong time zone